1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention provides a method and apparatus for multicomputer communication using cryptography.
2. Description of Related Art
Web-based and Internet-based applications have become so commonplace that when one learns of a new product or service, one assumes that information about the product or service can be found on the World Wide Web and that, if appropriate, the product or service will incorporate Internet functionality into the product or service. Many corporations have employed proprietary data services for many years, but it is now commonplace for individuals and small enterprises to have access to digital communication services that operate through the Internet, which has caused the amount of electronic communication on the Internet to grow rapidly.
One of the factors influencing the growth of the Internet is the adherence to open standards for much of the Internet infrastructure. Individuals, public institutions, and commercial enterprises alike are able to introduce new content, products, and services that are quickly integrated into the digital infrastructure of the Internet because of their ability to exploit common knowledge of open standards.
Concerns about integrity and privacy of electronic communication have also grown with adoption of Internet-based services. Various encryption and authentication technologies have been developed to protect electronic communication. For example, an open standard promulgated for protecting electronic communication is the X.509 standard for digital certificates.
An X.509 digital certificate is an International Telecommunications Union (ITU) standard that has been adopted by the Internet Engineering Task Force (IETF) body. It cryptographically binds the certificate holder, presumably identified by the subject name within the certificate, with the certificate holder's public cryptographic key. This cryptographic binding is based on the involvement of a trusted entity in the Public Key Infrastructure (PKI) called a “certificate authority”. As a result, a strong and trusted association between the certificate holder and its public key can become public information yet remain tamper-proof and reliable. An important aspect of this reliability is a digital signature that the certificate authority stamps on a certificate before it is released for use. Subsequently, whenever the certificate is presented to a system for use of a service, its signature is verified before the subject holder is authenticated. After the authentication process is successfully completed, the certificate holder may be provided access to certain information, services, or controlled resources, i.e. the certificate holder may be authorized to access certain systems.
Although PKI technology provides robust standards for secure communication, PKI technology has been adopted slowly. One reason for the slow deployment of PKI is the complexity of PKI management. A typical PKI-compliant application needs to perform a series of tasks in order to satisfy the requirements of the PKI standards, thereby requiring a software developer to learn the extensive requirements of the PKI standards.
For example, a PKI-based data communication session would require a remote party to present a digital certificate to a receiving party. In order for the receiving party to accept the digital certificate to authenticate the remote party's identity, the certificate authority that has signed the remote party's certificate must be trusted by the receiving party. However, the receiving party may not know the certificate's signer, and the receiving party would need to construct a path of trusted relationships, i.e. a trust path, that links an entity that is trusted by the receiving party, e.g., its own certificate authority, to the remote party's certificate. This trust path is also called a certification path, and the set of certificates that are linked in this manner is often referred to as a certificate chain, which includes the remote party's certificate and one or more intermediate certificates. Validation of a certificate chain requires signature verifications and certificate revocation status checks for each of the certificates within a certificate chain, which is a time-consuming task that increases as the certificate chain grows longer.
In order to interact with many other Internet-related applications, most client applications now need the capability of building and validating certification paths in order to set up a PKI-compliant communication session. Therefore, it would be advantageous to have a method and system for performing PKI-compliant certificate path processing activities that minimizes the need of a software developer to be familiar with the PKI standards that are involved.